Your message dated Mon, 13 Feb 2017 16:33:35 +0000 with message-id <e1cdjzh-000adn...@fasolo.debian.org> and subject line Bug#854723: fixed in diffoscope 77 has caused the Debian Bug report #854723, regarding diffoscope: CVE-2017-0359: writes to arbitrary locations on disk based on the contents of an untrusted archive to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 854723: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854723 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: diffoscope Version: 67 Severity: grave Tags: patch security Justification: user security hole Dear Maintainer, 5fdfe91e71f1c520d902350b18f793b8c69d9118 introduced a security hole where diffoscope may write to arbitrary locations on disk depending on the contents of an untrusted archive. For example, comparing the following two files: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=843811;filename=libBrokenLocale.a.0;msg=5 https://bugs.debian.org/cgi-bin/bugreport.cgi?att=2;bug=843811;filename=libBrokenLocale.a.1;msg=5 Traceback (most recent call last): File "/home/infinity0/xx/diffoscope/diffoscope/main.py", line 281, in main sys.exit(run_diffoscope(parsed_args)) [..] File "/home/infinity0/xx/diffoscope/diffoscope/comparators/utils/libarchive.py", line 174, in extract self.ensure_unpacked() File "/home/infinity0/xx/diffoscope/diffoscope/comparators/utils/libarchive.py", line 219, in ensure_unpacked os.makedirs(os.path.dirname(dst), exist_ok=True) File "/usr/lib/python3.5/os.py", line 241, in makedirs mkdir(name, mode) PermissionError: [Errno 13] Permission denied: '/SYM64' Note that this could easily have been something like /home/infinity0/.profile. I have pushed a nearly-complete fix to git (after version 75 was just released) which prevents the writes. However reads are still done using the uncleaned names, but this is a much less severe issue. So, if I don't supply a fix for the second lesser issue soon, the existing fix should be released ASAP. X -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (300, 'unstable'), (200, 'experimental'), (1, 'experimental-debug') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages diffoscope depends on: ii python3-libarchive-c 2.1-3.1 ii python3-magic 1:5.29-3 ii python3-pkg-resources 33.1.1-1 pn python3:any <none> Versions of packages diffoscope recommends: ii acl 2.2.52-3 ii apktool 2.2.1+dfsg-2 ii binutils-multiarch 2.27.90.20170124-2 ii bzip2 1.0.6-8.1 ii caca-utils 0.99.beta19-2+b1 ii colord 1.3.3-2 ii cpio 2.11+dfsg-6 ii default-jdk [java-sdk] 2:1.8-58 ii default-jdk-headless 2:1.8-58 ii enjarify 1:1.0.3-3 ii fontforge-extras 0.3-4 ii fp-utils 3.0.0+dfsg-10 ii fp-utils-3.0.0 [fp-utils] 3.0.0+dfsg-10 ii genisoimage 9:1.1.11-3 ii gettext 0.19.8.1-2 ii ghc 8.0.1-17 ii ghostscript 9.20~dfsg-2 ii gnupg 2.1.18-3 ii jsbeautifier 1.6.4-6 ii llvm 1:3.8-34+b1 ii mono-utils 4.6.2.7+dfsg-1 ii openjdk-8-jdk [java-sdk] 8u121-b13-2 ii openssh-client 1:7.4p1-6 ii pdftk 2.02-4+b1 ii poppler-utils 0.48.0-2 ii python3-argcomplete 1.8.1-1 ii python3-debian 0.1.30 ii python3-guestfs 1:1.34.3-7 ii python3-progressbar 2.3-4 ii python3-rpm 4.12.0.2+dfsg1-1 ii python3-tlsh 3.4.4+20151206-1+b1 ii rpm2cpio 4.12.0.2+dfsg1-1 ii sng 1.1.0-1+b1 ii sqlite3 3.16.2-2 ii squashfs-tools 1:4.3-3 ii unzip 6.0-21 ii vim-common 2:8.0.0197-1 ii xxd 2:8.0.0197-1 ii xz-utils 5.2.2-1.2 Versions of packages diffoscope suggests: ii libjs-jquery 3.1.1-2 -- no debconf information
--- End Message ---
--- Begin Message ---Source: diffoscope Source-Version: 77 We believe that the bug you reported is fixed in the latest version of diffoscope, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 854...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mattia Rizzolo <mat...@debian.org> (supplier of updated diffoscope package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 13 Feb 2017 16:25:02 +0100 Source: diffoscope Binary: diffoscope Architecture: source Version: 77 Distribution: unstable Urgency: medium Maintainer: Reproducible builds folks <reproducible-bui...@lists.alioth.debian.org> Changed-By: Mattia Rizzolo <mat...@debian.org> Description: diffoscope - in-depth comparison of files, archives, and directories Closes: 854723 854745 854783 Changes: diffoscope (77) unstable; urgency=medium . [ Chris Lamb ] * tests/comparators/utils: + Correct logic of module_exists, ensuring we correctly skip in case of modules containing a dot in their name. Closes: #854745 * comparators/utils/libarchive: + No need to track archive directory locations. * Add --exclude option. Closes: #854783 * Add PyPI badge to README.rst. * Update .travis.yml from http://travis.debian.net. . [ Mattia Rizzolo ] * Add CVE reference to the changelog of v76. * Add my key to debian/upstream/signing-key.asc. . [ Ximin Luo ] * comparators/utils/libarchive: + When extracting archives, try to keep directory sizes small. . diffoscope (76) unstable; urgency=medium . [ Chris Lamb ] * Extract archive members using an auto-incrementing integer, avoiding the need to sanitise filenames and avoiding writes to arbitrary locations. (Closes: #854723 - CVE-2017-0359) . [ Ximin Luo ] * Simplify call to subprocess.Popen Checksums-Sha1: 88ab09a8ecf57244ee21bd5c2f19a39b0f1c5062 2972 diffoscope_77.dsc b0c72453546afd30364c36aa2a86355d712ad55f 349436 diffoscope_77.tar.xz 619ab27596d84ee53ebe2e8924c3ad662e1deea8 16138 diffoscope_77_amd64.buildinfo Checksums-Sha256: 964f94d42f970ba32d73770e9d0c151fe149633cfb9054333bafe7df3f0271ee 2972 diffoscope_77.dsc c9adeb0bfb0c92a3501df04b6ea4300c3896f15a9008803e4e12c1f312528499 349436 diffoscope_77.tar.xz 3e10be4a12c432443536830551d536e73dbb4de8f1374cf7ec6c5a033104a793 16138 diffoscope_77_amd64.buildinfo Files: 853b57d21d18fafb72701114b189a315 2972 devel optional diffoscope_77.dsc 13f5d4623bfd49a3787a3d03c9f4f076 349436 devel optional diffoscope_77.tar.xz dc24dbcee5c0028bc590f98a97504d14 16138 devel optional diffoscope_77_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAlih0y4ACgkQCBa54Yx2 K61wdBAAlmhCj1QjMML0C7SgOprVNYmKhIwo+MzW0DHD4Mn3FaTU6v2QdtCO3Sev /kFVQDf2Tv+qAZhJ4h67a0hF710myt5faZVkMCqtCUsiVaNs/Q3py5wZAkJgpXMO C6gEP1rCQctDGKricbLasYhv71iUU6MNQym4G1sohJxi74fQ+CM1+STvCV3MIfIm SivzqSLja/lnyuRdHFjSIhPwR0tSoePmwQaNR7omd4EhC8seFS7vVcnRqO9bwSWz khZpLPKvSEdLfzLDjNGo4trFi6EEyMkdOh+Oqy2RQNYmVr1YQYkmNTn284FUQduv YxTG2/iFbdCWnYp+94RZI22TTJwBUsiAssAGFJD3e89ID6aPrjX/nq0ojHvz8mLF NWt/KySh2tkFzMCRP3d61hVm0QASPp1oXWHhxSBkXt1DPOQ6ujtsbme62bLZAh0r xco5c+JbRPMcjlNd4dZMy9qG0kjs+pRP6gF6qMbh8DXyPRAJrDQ8Y13U0dNKYzR+ ND9+dsVuFn/crrvjJqkowr4PqiQNbAa1zGQJtsxVXpw5Y8HtRPHNSWR976orR2Cp QmqzEXCy9L+jN9oU9l/dKtRSBqvDckUZVfO6g177uasPAMdC3h3V/2WsFqXylDP6 AQxDrS/qia2YczKWytJ0LgluQsvmQn5j+93IhpyJNCJPaTwa5U0= =QV/2 -----END PGP SIGNATURE-----
--- End Message ---
